Allowing Remote Access to PostgreSQL Alexandria

If you have firewalld enabled on the PostgreSQL server and you would like to allow access from other clients, you will need to add the PostgreSQL service and reload the firewall configuration.

firewall-cmd --add-service=postgresql --permanent
firewall-cmd --reload

PostgreSQL, by default, only allows local connections. If you would like to open access to network clients or if you are installing the Client Tools on a separate server (installation type 2), modify the following configuration files:

postgresql.conf

listen_addresses = '*'    # Allow remote connections on any network interface.
                          # You can also specify an individual IP address or
                          # comma-separated list of IP addresses.

This change requires a PostgreSQL restart.

For more detailed information, see https://www.postgresql.org/docs/10/runtime-config-connection.html.


pg_hba.conf

For every client requiring remote access, including the Client Tools processing server in a type 2 installation, a host entry is required. Briefly, a host record consists of space or tab-separated values:

  • host: local, host, hostssl, hostnossl
  • database: all, sameuser, samerole, replication
  • user: all, user name
  • address: client IP address(es), CIDR mask is allowed
  • method: trust, password, etc.

As an example, assume 2 sets of clients need access to the alexandria database, a data operations team and the CLAIMS Direct Client Tools. The data operations team will need access from any IP address on the 192.168.111.x network and the Client Tools will be updating the database from 10.234.1.6. The following entries are required for access:

# HOST    DATABASE   USER       ADDRESS               METHOD
# dataops needs access to the entire cluster, hence DATABASE is all
host      all        all        192.168.111.0/24      trust

# CLAIMS Direct Client Tools only need access to the alexandria database
# and by-default, use a fixed user: alexandria
host      alexandria alexandria 10.234.1.6/32         trust

Changes to pg_hba.conf require a configuration reload to take effect, e.g.,

SELECT pg_reload_conf();

For a detailed explanation of the host-based access file, see https://www.postgresql.org/docs/10/auth-pg-hba-conf.html.


Other Methods of Authentication

Other methods of authentication may also be used. For example:

  • To use ident, create an OS user.
  • To use a password, as on md5 or scram-sha-256, CREATE ROLE … WITH PASSWORD and confirm that the same password is specified in /etc/alexandria.xml on the machine on which the Client Tools will be running.

Contact support@ificlaims.com if you have different security requirements.